Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information Security Risk Assessment
From my point of view you need to categorize assets. For example: Information (Customer information, payroll information, etc), Software (Navision, MS-SQL), Hardware (PCs, file servers, backups tapes). These assets are different (different type) and they have different threats/vulnerabilities, so it is important the distinction.
Regarding the point 2 of your approach, remember that you also need to consider the impact in case the integrity and availability of each asset.
Other comments: You need also to include assets like infrastructure, people, etc. Identify the asset owner, determine which risks are not acceptable, and the the calculation of the value of the assets is not necessary if you assess the impact. See this article "How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Finally, this article can be interesting for you "How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And maybe can be interesting for you these articles:
"How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
"How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment -
Determine RTO for a business process
When we determine the RTO for a business process, should we do it with the assumption of the critical periods or no? For example. payroll processing is not critical during the month, but only on the first day of the month when we do impact assessment, should we suppose the disaster will happen 1st of month?
When customizing BIA questionnaire for a bank.. what time frames (I mean 0-4 hrs / 8 - 12, etc) should I use?
Answer:
From my point of view, the best is to establish the RTO according the critical day (1st of month), on this way you will have a demanding RTO the rest of the month, but it not should be a problem for the organization. Another option from my point of view, is to have 2 RTO, one for the 1st and other for the rest of the month.
Regarding the customization of the BIA questionnaire, the time frames depend on each business, so in some cases it can be also in minutes: 1-15m, 15-30m, etc.
This article about the BIA can be interesting for you How to implement business impact analysis (BIA) according to ISO 22301 : ht tp://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
12.1.2 Change management vs 14.2.2 System change control procedures
Can you explain details different between 12.1.2 and 14.2.2 and give few examples?
Answer:
Basically 12.1.2 is for changes related to operations or production (business processes, information processing facilities and systems that can affect to the information security), and 14.2.2 is for changes related to applications or development of software (systems within the development lifecycle).
Examples for 12.1.2: You have a system with Windows 8.1 and you want to update it to Windows 10. Your backup policy establishes a complete daily backup, and you change the frequency to 1 each week.
Examples for 14.2.2: You are developing an application, and there are changes in the requirements & design stage of the software lifecycle because you want to add more features to the application. Or during the codification your application connects to a database and you want to connect it to another database.
In accordance with ISO 27002 14.2.2 System change control procedures: Wherever practicable, application and operational change control proced ures should be integrated.
Finally, this article can be interesting for you How to manage changes in an ISMS according to ISO 27001 A.12.1.2 : https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/ -
controls assessment
Generally there are security controls implemented before the risk assessment, so during the risk assessment you need to evaluate risks considering that these controls are implemented.
The contribution of existing controls implemented is measured through decreased likelihood, and sometimes through decreased impact.
If you have numerous controls that are implemented, you have to take into account their aggregate effect on impact and likelihood of risk - this means you have to list all the controls that are implemented, and take all of them into consideration when assessing the impact and likelihood.
This article about the residual risk can be interesting for you "Why is residual risk so important?" : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
No risks after risk assessment?
We have finished Risk Assessment, and we do not have any risk that needs treatment. We are a TL9000 certified organization for years, and may be because of that we have well defined processes in place for all identified risks for our identified assets.
The question I have is, do we have to have some risks that requires treatment? Please advise how we should proceed?
Answer:
From my point of view, it is very rare that your organization does not have any risk that needs treatment, so maybe can be interesting to review all risks identified, taking into account the level of aceptable risk (review also threats/vulnerabilities identified for each asset). If after this, there are no risks above the acceptable level, effectively the treatment is not needed, but again, it is very rare an ISMS without risks above the level of acceptable risk (some companies the first time set a low acceptable level, on this way, generally they treat all risks, because all are above the acceptable level)
This article about the acceptable level of risk can be interesting for you Risk appetite and its influence over ISO 27001 implementation : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
Remember also that there are basically 4 risk treatment options: apply controls, transfer the risk, avoid the risk and accept it. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
ISO 27001 and ISO 27018
1. You cannot certify ISO 27018, because this standard is only a code of best practices (like ISO 27002), but you can use their controls for the implementation and certification of ISO 27001. On this way, first you need to implement ISO 27001 and during the risk treatment you can implement controls of ISO 27018. This article about ISO 27001 and ISO 27018 can be interesting for you "ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud": https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
2. ISO 27001 basically is about risks management related to the information security: You need to protect the information identifying risks and reducing them applying security controls (so can use a code of best practices for this, typically ISO 27002 which is composed by 114 security controls, but you can also use ISO 27018), and ISO 27018 is a code of best practices focused on the protection of personally identifiable information in public clouds, so you can use it to implement controls for the reduction of risks related to cloud environment.
This article about basic information of ISO 27001 can be interesting for you What is ISO 27001?: https://advisera.com/27001academy/what-is-iso-27001/
And also this article about the differences between ISO 27001 and ISO 27002 ISO 27001 vs. ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
3. I am sorry but I am not sure what you mean, but as I have explained before, ISO 27018 is only a code of best practices and you cannot certify it, but you can implement it, and you can have controls focused on the protection of personally identifiable information in the public clouds, although on this way you cannot get certified and won't know how to manage risks related to the information security.
Finally, this article about the cloud computing can be interesting for you Cloud computing and ISO 27001 / BS 25999: https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/ -
Information Security awareness
How frequently "Information Security Training Awareness Training"should be done in an organization as per ISO 27001 requirement e.g monthly ...once in 6 months or once in a year
Answer:
It is not established in ISO 27001 a specific frequency for the Information Security Awareness, although in accordance with the control A.7.2.2 Information security awareness, education and training: All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates , so can be recommendable to have an annual information security awareness programme.
For this awareness program, can be interesting this article 8 Security Practices to Use in Your Employee Training and Awareness Program : https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/ -
Risk Assessment and frequency
I want to know how often Risk Assessment needs to be performed as per iso 27001
Answer:
In accordance with the clause 8.2 Information security risk assessment of ISO 27001:2013: The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur ..
So, you can establish the frequency, although generally can be recommendable once a year.
Finally, do you know the 6 basic steps of the risk assessment & treatment? Please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Information Security Policy template
Thank you for your email, actually we need a software to create IT general policy and information security policy and procedure, could you please assist me in this issue if such as software or toolkits available in your company please late me know how to get it
Answer:
For ISO 27001:2013 is only mandatory to have an Information Security Policy documented (it is not mandatory an IT general policy, or a software to create it), and we work only with the necessary documents for the implementation of this standard. So, if you are interested on this Information Security Policy, you can use our template. You can see a free versión clicking on Free Demo tab here Information Security Policy : https://advisera.com/27001academy/documentation/information-security-policy/
By the way, you can also see our toolkit ISO 27001 Documentation Toolkit : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Finally, do you know the list of mandatory documents of ISO 27001:2013? Maybe this article can be interesting for you List of mand atory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Software companies
how can a small software companies with less than 150 employees can implement ISO 27001 standard without much rise in the cost and budget.
Answer:
You can search external consultants for this job, generally you will find many prices, but maybe the cheapest option is to use templates and implement them by yourself (although you need knowledge about ISO 27001 to do this). Another good option is our templates, because we have all necessary documents, and they are developed for small and medium companies. We also give you support during the implementation of them, so can be very interesting in your case.
This article can be interesting for you 5 criteria for choosing an ISO 22301 / ISO 27001 consultant : https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/ and also this one Do you really need a consultant for ISO 27001 / BS 25999 implementation? : https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/
You can see our toolkit here, and you can see a free version of each document clicking on Free Demo tab ISO 27001 Documentation Toolkit : https://advisera.com/27001academy/iso-27001-documentation-toolkit/